Methods of Limiting the Domain Name Service Traffic Against Distributed Denial of Service Attacks

Authors

  • Arthur S. Petrosyan Institute for Informatics and Automation Problems of NAS RA
  • Eugene B. Prohkorenko Institute for Informatics and Automation Problems of NAS RA

Keywords:

DNS, Denial of Service, DDoS, Amplification Attack, BIND

Abstract

The goal of the research described in this paper is to find methods of limiting the Domain Name Service (DNS) traffic against Distributed Denial of Service (DDoS) Attacks. Since DNS is a core network service, the protection of DNS servers is vital for the whole network infrastructure. In view of the different forms of DDoS attacks on DNS servers (like the DNS Amplification Attack), the implementation of effective preventive methods becomes very important. This article describes the research work done in the Academic Scientific Research Computer Network of Armenia (ASNET-AM) managed by the Institute for Informatics and Automation Problems (IIAP) of the National Academy of Sciences of the Republic of Armenia (NAS RA), targeted to the deployment of the improved methods of limiting the DNS traffic against DDoS attacks. Special attention was given to User Diagram Protocol (UDP)-based Amplification Attacks resulting in Distributed Reflective Denial of Service (DRDoS) attack. This paper includes a description of best practice configuration of protection methods for the most widely used Name Server Software - “Berkeley Internet Name Domain” (BIND9) package.

References

UDP: User Datagram Protocol,[Online]. Available: http://tools.ietf.org/html/rfc768

SIP: Session Initiation Protocol, [Online]. Available: http://tools.ietf.org/html/rfc3261

(February, 2014), SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure, (An Advisory from the ICANN Security and Stability Advisory Committee (SSAC)), [Online]. Available: https://www.icann.org/en/system/files/files/sac-065-en.pdf

(March 07, 2014), UDP-based Amplification Attacks Alert (TA14-017A), [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA14-017A

(July 22, 2013), DNS Amplification Attacks Alert (TA13-088A),[Online]. Available: https://www.us-cert.gov/ncas/alerts/TA13-088A

G. Kambourakis, T. Moschos, D. Geneiatakis and S. Gritzali,“Detecting DNS amplification attacks”, Available:http://www.dgeneiatakis.com/papers/conferences/conference-08.pdf

(March 17, 2006), Randal Vaughn, Gadi Evron, “DNS Amplification Attacks”, [Online]. Available: http://crt.io/DNS-Amplification-Attacks.pdf

“Berkeley Internet Name Domain”, BIND,[Online]. Available: http://www.isc.org/downloads/bind/

A.Petrosyan and E.Prokhorenko, “Улучшенная модель распределенной системы DNS для сети ASNET-AM”, Proceedings of the Conference CSIT’2013, pp. 387-388, Yerevan, 2013.

Strengthen network defenses by using a DMZ, [Online]. Available: http://www.techrepublic.com/article/solutionbase-strengthen-network-defenses-by-using-admz/

(February 14, 2013), T. Rozekra and J. de Koning, “Defending against DNS reflection amplification attacks”, [Online]. Available: http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf

"Response Rate Limiting with BIND", Eddy Winstead (Internet Systems Consortium (ISC)), APRICOT (Asia Pacific Regional Internet Conference on Operational Technologies), Asia Pacific’s Premier Regional Internet Summit 2014, [Online]. Available: https://conference.apnic.net/data/37/apricot-2014-rrl_1393309768.pdf

Downloads

Published

2021-12-10

How to Cite

Petrosyan, A. S. ., & Prohkorenko, E. B. . (2021). Methods of Limiting the Domain Name Service Traffic Against Distributed Denial of Service Attacks. Mathematical Problems of Computer Science, 42, 107–112. Retrieved from http://mpcs.sci.am/index.php/mpcs/article/view/221

Most read articles by the same author(s)